Severity High
Remote Yes
Type Information disclosure
The Linux kernel version 3.3-rc1 and later is affected by a vulnerability in the processing of incoming L2CAP bluetooth commands via the ConfigRequest and ConfigResponse messages resulting in leaking data in kernel address space. This information leak is a result of uninitialized stack variables that may be returned to an attacker in their uninitialized state. By manipulating the code flows that precede the handling of these configuration messages, an attacker can also gain some control over which data will be held in the uninitialized stack variables. This can allow him to bypass KASLR, and stack canaries protection - as both pointers and stack canaries may be leaked in this manner.